ITSEC Games

Saturday, June 28, 2014

Web application security is today's most overlooked aspect of securing the infrastructure. These days, hackers are concentrating their efforts on our precious websites and web applications. Why? Websites and web applications are a very attractive target for cyber criminality and hacktivism because they are 24/7 available via the Internet. Mission-critical business applications, containing sensitive data, are often published on the Internet through a web interface. In addition, traditional firewalls and SSL provide no protection against web attacks, and systems engineers know little about these sophisticated application-level attacks…

It’s definitely time to improve our web security! Defense is needed… downloading and playing with bWAPP may be a first start… Wanted: superbees.

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

What makes bWAPP so unique? Well, it has over 100 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.

[The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.]

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
Another possibility is to download the bee-box…

The bee-box is a custom Linux Ubuntu virtual machine, pre-installed with bWAPP. It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation! bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

Both are part of the ‘ITSEC Games’ project. The ‘ITSEC Games’ are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together! Our main objectives are to teach InfoSec courses from an educational and recreational point of view.

Take a look at our ‘What is bWAPP?’ introduction guide: it includes free training materials and exercises. There is also a free cheat sheet available, containing all the bWAPP solutions…
Follow @MME_IT on Twitter, and receive this cheat sheet, updated on a regular basis, including the latest hacks and security hardening tweaks.

We also offer a 2-day exclusive comprehensive web security course: 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location.

In this article, I'll show you how you
can find an exploit in bWAPP and port it to a Metasploit module to
ease the exploitation of your loved bee-box (or any bWAPP aware box).

You probably all know the Mestasploit
Framework. If you don't know it yet, you should absolutely take a
look at its website and download/install it.
If you're using kali linux, Metasploit
is present in your beehive.

First,
we need a to find a valid exploit. For now, I'll take a basic sql
injection to spawn
a shell/meterpreter to the box.

I'm a
little lazy and basics of
sql injection are out of
scope, so if you don't' know how to exploit it
in bWAPP you can still
refer to my (killed in the
beehive) bwappexploitedsite.

So,
starting from the fact that this injection works fine
well to get the current database :

' and
1=0 union all select 1,2,database(),4,5,6,7 -- -

We
could abuse theSELECT INTO
OUTFILE mysql statement to write a php file, our backdoor, to the
webserver.

But
don't forget you're injecting mysql, so mysql or a group it belongs
to should have write perms on the folder where you want to write the
backdoor.

An
image or document folder is often a good choice as it is often used
to upload images through an admin web interface.

In
this case, the « images » folder is writable :)
(http://yourip/bWAPP/images/)

Sunday, December 22, 2013

Hi little bees, do you get bored in the Christmas Holidays? No panic, stay tuned with us... this time we are organizing a free bWAPP Xmas Hacking Challenge. Nothing to win, just for fun (and for educational purposes of course).

bWAPP, or a buggy web application, is a deliberately insecure web application.

It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 60 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

Are you ready to get started with our Xmas Hacking Challenge? First of all, we need YOUR public IP address. E-mail us your public IP address at bWAPP [at] itsecgames.com. Once we receive your IP, we add you on our white-list and we e-mail you back all the details. Now you are ready to roll!

The first fivetweeters whosuccessfully accomplished a challengeare listed on our bWAPPHack Hall of Fame.

[ CHALLENGE 1 ]Bug to exploit: SQL Injection - Extracting Data

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands (sources: OWASP).

Your first mission is to grab and crack Santa's password using SQL injection.A user 'Santa Claus' was added in the bWAPP database. We need the clear text password of that user...
Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP.

Hack Hall of Fame:

Your second mission is to upload a file using SQL injection. Name the file [your_name]-sqli.htm and tweet a screenshot as proof to @MME_IT #bWAPP.

Good luck... this will probably be your first (legal) website defacement!

HINT: use an automated SQL injection tool like sqlmap. sqlmap is an open
source penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws and taking over of database servers.
It comes with a powerful detection engine, many niche features for the
ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to
accessing the underlying file system and executing commands on the
operating system via out-of-band connections.

Hack Hall of Fame:

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user's browser (sources: OWASP).

Your third mission is to create a file using SSI injection. Name the file [your_name]-ssii.htm and tweet a screenshot as proof to @MME_IT #bWAPP. Another website defacement...

In the demo, the TV is connected by Ethernet cable to a home network, and after running the exploit against the TVs IP address - a few seconds later, the TV restarts and repeats the process.

This means that a potential attacker only needs to obtain access to the LAN that the TV has joined, in order to attack it. This can be done either by breaking into a wireless access point or by infecting a computer on the same network with malware.

Feel free to make a root exploit and to hack your Samsung TV...

No we need firewall and antivirus protection for our televisions too :)
Samsung did not immediately return a request for comment. A shame...

Tuesday, July 16, 2013

The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.

bee-box is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation!

bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

Monday, January 21, 2013

Is bWAPP vulnerable for SQL injection? Yes of course. This is the purpose of bWAPP, our extremely buggy web application. It has some nice injection issues... I made them intentionally, remember?

No... I will not explain in detail what SQL injection is!

A SQL injection attack is probably the easiest attack to prevent, while
being one of the least protected against forms of attack. The core of
the attack is that a SQL command is appended to the back end, usually through of a form
field in the website or web application,
with the intent of breaking the original SQL statement and then running the
SQL statement that was injected into the form field. I'm sure you can find enough tutorials on the Internet about SQL injection. Here's an example of a pretty nice article.

Yes... I will explain how to exploit bWAPP using SQL injection and how to take ownership of the database and even the underlying operating system. Definitely!

Currently there are 5 bugs in bWAPP related to SQL injection:

the Search page,

where you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search.

the Select page,

where you can select a specific movie from a drop-down list.

the Login page,

where you can enter your credentials to login.

the Blind SQL injection page,

where you also can search for a movie. The application will tell you if the movie exists or not. You will not see the movie details... maybe that's the reason why I called this the Blind SQL injection page :)

and where is bug number 5?

A little challenge for you... somewhere in the application there is an issue with a SQL insertion. It's up to you to tell us where. Please give us your feedback @MME_IT.

The Search page

Here you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search. If you click the search button without entering any search string then all movies will be displayed.

The injection symptoms: when entering a single quote (') in the title field we receive the following message:

'Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '%'' at line 1'

I love that message!

Here we go for some basic SQL injection fun:

blah' or 1=1--

results in all the records:

blah' or 1=2--

results in 0 records:

So the URL parameter title is definitely susceptible to SQL injection:

What's next? Do you want to view some data notintended for you? I mean some real confidential information! Of course you want, let's go...You could use the SQL union statement to merge database tables.First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement!

blah' union select 1--

results in the following message:

After a while you will discover that you should use 6 columns:blah' union select 1,1,1,1,1,1--

results in:

And that's great! Now we can play with the field order and visualize the current database version:

blah' union select 1,DATABASE(),1,1,1,1--

We have found the name the of the current database name: bWAPPNow our mission is to retrieve the table names of the current database:

OK, we have the values! We exploited the underlying database by retrieving some confidential data. Apparently it seems that the password value is stored in a hashed state and cannot be retrieved. Those guys from MME are doing a great job...

After 10 seconds, 1 password was already cracked using John :p

Of course, we knew that the password for user bee was bug. I'm just trying to convince you to use complex passwords!

Let'ssummarize, we retrieved some data that was not intended for us. We retrieved the password hashes and we cracked a password. What's next?

Right... we will takeover the database and the underlying operating system. One of my favorite tools for doing that is sqlmap.

sqlmap is an open source pentesting tool that automates the
process of detecting and exploiting SQL injection flaws and taking over
of database servers. It comes with a powerful detection engine, many
niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from
the database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.

Using sqlmap we also have the possibility to create a shell with the underlying operating system. Actually the tool will upload a web shell that runs your favorite OS commands. A very nice and powerful tool. Thank you Bernardo and Miroslav!

Feel free to test for SQL injection vulnerabilities using the bWAPP web application. As you know there are 5 different bugs related to SQL injection. You can download bWAPP from here. Don't forget to set the security level to low or medium. With security level high you will notice that SQL injection is no longer applicable. With security level high we are validating every user input. This is done with the MySQL real escape string function and with prepared statements.

If you want to know more about SQL injection and tools like sqlmap, don't hesitate to subscribe for our ITSEC training. Or just invite me to your security event. It would be an honor for me to speak at your event!

Tweets

About Me

Malik Mesellem is an IT security professional with over 15 years of experience. Malik has always had a passion for ethical hacking and penetration testing... obsessed with Windows and web application (in)security.

In 2010, he started his own company, MME BVBA. MME is specialized in IT security audits, vulnerability assessments, penetration testing and InfoSec training.

Malik gives master classes, lectures and workshops on conferences and for several institutions. For Belgium, Malik is an OWASP ZAP evangelist and a mentor for the SANS Institute.

In 2012, Malik started with a new project, ITSEC GAMES.ITSEC GAMES are a combination of IT security, ethical hacking, training and fun!The training courses are educational as well as recreational, and organized in a simulated live environment with real targets. Also part of this project is bWAPP...